When the board starts knocking, well-meaning CISOs and security teams spring into action, ordering up assessments and other services from a growing cottage industry of third-party security consultants. That's healthy too — healthcare is one of many industries that needs an ecosystem of support around security activities.

The best assessments are sound, complete, and actionable. The worst ones ain't.

Given a statement of work from a third-party assessor, how can you tell whether it's sound, complete, and actionable? That's for a forthcoming post. This post is about one kind of unhelpful assessment: the kind that's only a penetration test.

Virta Labs provides a managed cybersecurity service to help hospitals manage their clinical assets and ensure continuity of operations. But our team has an interesting history: we coauthored the first research on cardiac implant security in 2008 and have published extensively on medical device security since then. As a result, we recently received a flood of technical questions unrelated to our normal menu of services. Virta Labs engineers took time away from building BlueFlow to provide a seminar, white paper, and consultations and to develop our own scientific experimental methods. We're glad that the industry is developing interest in improving medical device security as we've urged for nearly a decade. While this was a necessary and important diversion for us, we are getting back to our core business and clinical tests of BlueFlow.

We have no financial relationship with Muddy Waters Research LLC, St. Jude Medical, or MedSec Ltd. We plan to release a peer-reviewed report shortly so that the greater community may analyze our findings and results.

SECURITY IS CONTINUITY OF OPERATIONS

Virta Labs builds security tools tailored to healthcare. With a decade of experience in healthcare security, we understand the importance of respecting safety and clinical workflow. We help healthcare IT focus on the risks that matter.